So admittedly my account was stolen(I won't use the word hacked because I doubt any real "hacking" was involved).

Whilst this is my own fault for using a small generic password since early beta, what I don't understand is why there's absolutely no system in place for email confirmation.

Once someone has your password that's it, the account is gone with no immediate way to recover it as they can change the email without needing access to the current email(big flaw). There isn't even an email telling you that it was changed or that your password was changed.

Riot could save a lot of time and money in support tickets(the wait time is anywhere from 3d-1w) from stupid people like my self if they tighten up how easy it is to completely hijack an account.

A few things that other games/services do:

Require email action on email change(this allows the original owner to always recover the account if their email isn't compromised)

Require a small access code sent by email/SMS when a new location/computer is detected

Additional layer of security in the form of secret question

Again, I'd like to emphasis that it's my own fault for not being more vigilant but everyone would benefit from more security.

While that is a simple solution to his specific situation, it doesn't fix everything that is wrong with account security.

Looking at Battle.net might help, as that specific service suffered from a shit ton of hijacking, phishing and account corruption, and they learned and set up various mechanisms to protect their users (e.g. Authenticator).

Guild Wars 2 suffered a lot from stolen accounts in the first couple of weeks.

Now their account security is massive. They force you to use a password like this XKCD and even link to that comic in the password change page. If I remember correctly your password needs to be entirely unique, no two people can have the same password, making it harder for bruteforcers to reuse passwords they might have gotten their hands on earlier.

This is very improbable, as they probably don't know the raw password to begin with.

What usually happens is passwords are mixed with random strings (known as salting), and then one-way hashed. In doing so, the same password results in different hashes. In the case of a database compromise if an attacker brute-forces one, it will not compromise all other users with the same password.

It could be that the password you wanted to use was relatively common or simplistic like a name of a place, a correctly spelled word, or something popular and they have a blacklist of easy passwords like that. Macedonia is a word that is seemingly random (assuming you're not Macedonian of course) and longer but computer algorithms can quickly discover it.

Riot: He must have quickly decided and up and move to Nigeria, now he wants to very quickly change his password on our website? Okay, lets go ahead and do that for him. Oh and he wants a new email too, okay lets set that up.

Yeah that feature is great my account's security was compromised and I assumed it was some douchebag friend who got on my phone or something but turns out it was some guy in Wales who I sold my what I assumed to be a completely destroyed phone but I guess he got it working

Yea. For a 40 million user game, this is ridiculous. Runescape has pins and questions, Battle.Net games have questions and all the various forms of authenticators, Guild Wars 2 has it's e-mails that you receive. Ridiculous.

My GW2 acc got 'hacked' (well they can't get in because I need to confirm the email), so I've been getting around 1-2 login emails per day asking me to confirm a login attempt from some random city in china (it's alwasy a different one) since September.

In SEA, Garena handles the distribution and servers for LoL here, so the game is started first and logged in through their main central client before we log into LoL. Our LoL accounts are tied to our Garena accounts, with the Garena account also attached to any other game you might play that's also distributed by Garena.

When we buy RP, we have to go through a secondary account login with our Garena accounts. I've not yet tried gifting RP, but I'm assuming you would have to confirm with your Garena account as well.

Generally speaking, security for Garena accounts appear solid; as long as LoL is tied to the main Garena accounts, it appears we do not have major account theft problems.

I don't want to sound like I'm blowing smoke out my ass but there was a talk at DEFCON about the vulnerabilities in regards to an HTTP page posting to an HTTPS form. Facebook used to do this for a while and was vulnerable, don't know if they still do.

Seeing as how my friends have done some fancy things with all of the LoL code in general (Chat and Tribunal apps on Android) in addition to all the stuff I see via others that work with the Client and such....

Riot has terrible security practices. HTTPS and two-factor authentication need to be at least one of the first things they work on.

This looks like https for me. I dont know the whole story, but a quick look at the source code of the side shows, that you have some https calls embedded. Just because the main site is not https, does not mean, part of it are. Also https is not a sign for secure login.

Well, there is no actual problem with the security in general, both the website and the air client are using SSL.
But yeah, password/email changes are way too accessible to anyone who owns the password.

For most people this is snake oil, since the answer is in most cases a common word. Security questions often backfire since you can just brute force it by using a dictionary. It is easier to break that secret question than the actual password. Whenever such a layer is added I just random "alkjfhslkdflksgfrg" or sth, so it cannot backfire.

The longest pass I do have is 1024 characters long. Not kidding. Was wondering if it would work (since A LOT of sites restrict characters and pass length) and it somehow did. I was amazed. It actually freezes my browser for ~2 sec when I press login. :v

For example take the first word and add the character value of the first four letters.

League of legends.

(L=12, e=5, a=1, g=7)

Password: League12517

Now you'll never have password problems again as you have a system you use on everything. The only flaw to this is of course if someone discovers your system but that would require someone to get multiple of your passwords and analyze them. Most stealers just grabs username/password and have people testing them.

You "just" grab a portable version of KeePass, copy it on your Memory Stick and make it sync with dropbox or some other online storage1 . Auto Type obfuscation circumvents most key-/clipboard-loggers and memorizing countless passwords is not your problem anymore, because you let the program handle them. And if you fear losing both copies of the file, just print a password-list at home every month...

Now you memorize one good passphare likeBarnabas spoke a trainer panted above his suitable technique
(or longer) which encrypts & (un)locks your database.

People still think password policies from 10 years ago are a good way to secure your account, when nowadays GPUs can crack most passwords in an offline attack (unlikely scenario, but just imagine someone steals Riotgames' DB) in 1 hour tops....
And reusing passwords, logins, etc. is also a horrible idea because one security flaw may invalidate your security concept.

1 Make sure to pick a safe encryption for your database, so even super effective offline attacks against your database will only allow a 1-5 password tries per second.
You shouldn't care if it takes 0.1 or 6 seconds to unlock your database. But it makes a huge difference, if an attacker can try 10 passwords/second or 0.16 passwords/second.

People still think password policies from 10 years ago are a good way to secure your account, when nowadays GPUs can crack most passwords in an offline attack (unlikely scenario, but just imagine someone steals Riotgames' DB) in 1 hour tops....

Unless they're using MD5 or another fast hash, that's not true at all. Things like Bcrypt or 3DES are significantly slower to process, even on GPUs, and will take significant amounts of time. For instance, Bcrypt with only a cost of 5 was only able to be processed at 78k Passwords/Second (on a 25GPU box), increasing that to cost 6 increasing the work from 32 iterations of the hash to 64.

tl;dr only fast hashing algorithms can be brute forces in "1 hour tops" and nowhere should be using them (But people probably still are)

tl;dr only fast hashing algorithms can be brute forces in "1 hour tops" and nowhere should be using them (But people probably still are)

I can't do more then completely agree with you on everything you wrote, including the "people still do use them".
That's the point that I wanted to state with

[...] Make sure to pick a safe encryption for your database [...] You shouldn't care if it takes 0.1 or 6 seconds to unlock your database. But it makes a huge difference, if an attacker can try 10 passwords/second or 0.16 passwords/second.

The use of it is that I don't think I'll never forget my password, and it's very unlikely I'd visit any dodgy websites from my main PC, I do regular scans, if my account ever gets stolen (I have never had any accounts stolen from me over my 8 year time of playing online games) I'll be using my recovery question to get the password back.

I assume you mean ever. Then your sentence makes sense. Problem is some service already easily allow you to change the secret question once you're logged in, completely invalidating everything that you planned.

I agree that that's a horrible security concept, but before you change that around, go for a good concept like two-factor authentication in the first place...

I debated putting it up there but it has proven to be helpful for other stuff

Care to give some examples? In my opinion security questions are just another security flaw. You openly provide a hole for social enginering, if you supply a real question with the appropriate answer (first pet name, first school, name of your first chef boss, mother's name, etc.)

Especially in times of social networking, etc. most security questions are completely unsafe.

I personally do, though I try to pick a question that requires someone to actually know something about me that is not really known by many people. I suppose its not difficult for someone I know to figure out which elementary school I went to or my mother's maiden name, but I'd like to think it would help against random people on the Internet..

I agree highly, and I was just talking about this to another friend of mine.
It IS importan because skins do cost money and for someone like me who has spend over 100€ on skins this would be really good. (Also because I got some jewels like Candy Cane MF Ragdoll Poppy and a lot of other skins which are not avaible anymore)
Hint: I got a bit more than 50 skins :P

It is indeed scary that accounts worth hundreds of Euros can be lost just like that. When i played WoW i was hacked like 5-7 times, but it was so easy to recover accounts, and Blizzard made sure anything lost was replaced.
That is one place where Riot could learn from Blizzard.

Obviously this person uses the same email everywhere such as WoW Forums. Then to make it worse, he/she uses the same password for all of them...
D

duh Sarcasm

But really, this is one way they get into your account. A lot of guild forums and general game forums out there aren't secure enough. The owner might not know about MySQL injections and the such and all those emails become his target list. If the password system isn't encrypted when they are stored, then the hacker has the passwords that people use all the time. Set up some computers to spam them all and check if they get in.

Same thing happens if you buy WoW gold. Those sellers have a email and a password for your account. They would be stupid not to try it out and see if they can get into your account.

In this situation, like blizzard, you had 1 of many options for security:

Mobile authentication, as you mentioned, through the app

SMS authentication

Physical authenticator.

The physical one is pretty cheap, and for a loooooong time Blizzard was giving them away. For a while all you had to do was tweet Blizz CSR on twitter. I got my authenticator for free, and got all of my friends one as well.

This needs way more publicity than it actually gets. The security measures for accounts in this game are beyond laughable. At the very least, they need to add a security question and e-mail authorization for account changes.

I personally love the 'Token Authentication' method, but there is a significant cost associated with this. Blizzard runs them for their games, but I'm not sure of what they are paying. We run them for users at my office, but they run about 80 USD a person all said and done for licensing and stuff like that. If they could do this on the cheap end or for free, it's definitely the way to go.

I would really like a Steam Guard like feature, I remember someone was trying to get into my steam account once and I just laughed every time a Steam Guard email came through since he was obviously trying to brute force the code.

I let him go at it for a couple of hours until I decided to change my password. Knowing that extra layer of security is there is really assuring.

Having worked for Blizzard as a Senior of their Account Administration team, I can dutifully say that Riots security methods are completely archaic based on industry standards, and I would very much love to help them fix this. To bad they don't have a job for me, as I'd love to get my hands dirty on that front.

Maybe one of them will read this, but either way. Your suggestions are really good, and it's a great start. HTTPS would be the first major step that nobody would notice. That combined with adding an two-step auth(though Air may not support this off the bat), secret question, stronger pw requirements, better automated retrieval, as well as more security on email changes, would be amazing.

When they finally respond, you just have to provide proof of account ownership (when it was made, name, etc), then you'll have your account back, along with free IP they made for you. (This is assuming they got your password and changed the email associated with the account to one of theirs.)

My account got hijacke arround 12 days ago. I have all the champs and a shitload of skins and Riot won't give it back because "They already send the email to the attached mail account"

So i'ts been 10 days since I reported the incident to Latin American Support and I have 0 answers. NA support just closed my ticket and I can't play at all :/ No one is helping me and no one seems to have time to give me an answer

This is a HUGE flaw and I can't believe this hasn't been addressed yet. The security of your customers accounts, especially with games you pay $ to play, should be a main concern of yours. This needs fixed last year. Wow, off to change my pw to 17 random numbers and letters.

Having an authenticator similar to the one Blizzard has for WoW would be the best solution in my opinion. Plus, I think that if Riot were to offer something like this they would end up selling pretty well because of the sheer amount of time and money many players have invested in to their accounts.

the problem with passwords is that it is based on human memory. there is a trade off between a good password and an easy to remember password.

having passwords are not a problem, but we need some added layers of security. like stated, either a system similar to guild wars 2 with e-mails or maybe a security token.

this shouldn't be mandatory, but the options should be available.

if somebody wants to take their password integrity into their own hands, i recommend using a master password program (like i use). and my league password is something rediculous and i copy paste whenever i want to login. a bit more effort, but if you want to get invested in security it's something.

Actually, it's not as hard as you might thing to remember something like a 80 bit random password. (14 characters, 0-9, A-Z) All it takes is a random password - Password generators on the web work - and a sticky note. After about 6 times of typing it in, you have it memorized.

They could also implement a visual login system like Windows 8. I know W8 gets a lot of rage on reddit, but it has its benefits. If you're not familiar with it, what this system does is genius:

Pick a picture, you chose one of the preset pictures or upload your own.

You set your "password" by clicking 3 times, in any spot on the picture. The "clicking" locations and order is your password. For example, you can have a picture of a kitten. You can have your password be: click on the kitten's nose, click on his left paw, click on the nose again.

You're in!

The genius part of this system is that you really can't accidentally give away your password because it was the same as something else you used. It's also much much harder to forget what it was! There's also no way to "steal" someone's login if it uses this method. You can't social engineer it (google the person's 1st dog's name, or something), you can't keylog it (Yes, there are backdoor trojans that can log X + Y mouse coordinates and clicks, but we're getting closer and closer to "hard as hell to get around"), and essentially impossible to forget.

And I agree with you 100000%. I wish it was optional. Any of these ideas would take care of the problem.

It is honestly laughable how poor their security system is. It makes me not want to purchase more RP for fear of losing my account so easily. I've only invested $60 into league but I have friends that have far surpassed $300. They really need to address this.

That's not how it works.
You would only need to confirm logging in from a new PC once, when you log in for the first time. Then it's saved as a known device.
Basically what Facebook does. There you can also manage the known device list yourself.

The worst part is that support never helps with anything. I have the impression that the support answers are just bots spamming the same message over and over again. Yes I did get my account stolen but I managed to get it back (not with the help from Riot)

Now i don't really understand why someone would want to hack a LoL account as there is barely any profit involved compared to hacking a Blizzard wow account. If you have RP then you can gift yourself but that leaves a transaction. So I am guessing that it might be someone you know either online or Real Life.

I know one way people 'hack' blizzard accounts is they go to related forums. There are a ton of WoW forums out there. Guild, server, info, help, etc. Many of these forums are runned by novice or amateur website owners and don't know a lot about security database wise. They use simple MySQL which leads to MySQL injections. Makes it very easy to grab emails and passwords. Now if the password are not encrypted then it is so much easier for the hacker (actual hacker). There are other ways too which i'm not to familiar on. They send this info to their bots that test each one of these emails and passwords. Anytime it works, it gets sent to another 'hacker' who then goes into your account sell all your stuff and take the gold.

Now i am guessing with LoL accounts, they just test the username. But the amount of work involved for such little profit is weird to me. Can you send RP to someone with the RP you have or do you need to buy more RP to send it to someone?

Always thought this, and tbh this post makes me think that someone is going to do it because it's been brought to their attention or something. I don't keep my credit cards saved on my account because I knew the security was archaic...

Though I wonder what the hacker would gain from hijacking a league account if it had no RP outside of wanting to fuck up your runes or maybe league points?

They wouldn't let me do a summoner name swap between my two own accounts (despite having done so in the past) because they couldn't 'verify' my account. They then proceeded to ask me 20 questions about things I did on my account over a year ago which I have no recollection of today. So I told them to go fuck themselves.

When I logged in to my WoW account i got so frustrated in what i had to do to get my password back ... But it works, an authenticator etc etc thought the LoL accounts aren't like WoW accounts. Though being a webdeveloper myself i think Riot could do a lot to improve the security. I am not sure how the passwords are sent to the server I would have to start wireshart to test that but I agree that LoL has no security whatsoever

I like having a keytag that generates a random sequence of numbers to allow a log in. Make it optional for those people who are worried about their account being hacked. And give a free skin along with it in order to give incentive for purchase.

Just a simple physical/mobile authenticator would solve so many problems with security, i heard that account recovery service is overwhelmed and u have to wait like a week to get response.
Adding option for authenticator would save riot lots of time and make players more safe.

And then I need to change password but there's some weird 2 year old security question, answer to which I can't possibly remember,I want to change the e-mail because I forgot something there and I can't without confirmation on that given email, I just feel like it complicates everything for no reason. I mean, I don't mind if there would be option like yahoo does with the seal things, for those interested. You'd have something like "Your account isn't fully secure, learn about RIOT LOGIN", which would give some more options, but forcing too much unnecessary defense onto everyone doesn't seem a right thing to do, especially with so few amount of complaints.

Aside from the obvious social engineering leading to account compromizations, there's also the possibility of a database breach on Riot's servers themselves, thereby possibly leaking out account login data in mass. Granted, the possibility of that is low assuming the company does not use shoddy security measures, but the possibility is there. We've seen that happen when WoW, HoN, and even League's EU servers were hacked into at one point.

At least some sort of additional layer of security would make a database breach like that a bit less devastating.

Facebook has the same problem with the email being able to be replaced. You can gain access to someone's account, then simply change the email to your own, and boom, their facebook is now your own. There are a few email loopholes you can jump through to get it back, but you have to look out for them.

I dislike the idea of needing the old email to change to a new one. I've had accounts be eliminated on prior school servers and unable to access it, which leads to some trouble when trying to change the information.

Agreed 100%. My best friend just got his account stolen last week. But luckily he sent Riot a support email, they asked him a couple questions related to his account, and he got it back.

But still, the account security of this game is just out of my mind. All u need is a password and u can change everything on that account. Basically make that account to become yours by changing email and password.

If they had multiple logins for each account (e.g: forum and game account), I could understand that the process would be a little harder. But the way they have it set up, I find it hard to believe on how they haven't changed it yet.

One of two things for sure, or they have a really bad system behind which makes these changes hard to implement, or they are somehow winning with this situation and have no desire on changing it.

I can't STAND all the bullshit you have to got through to edit ANYTHING in your battle.net account. ALL that security and annoyance.. for NOTHING since blizzard got hacked and all the passwords were coughed up.

I got it back, though. Riot did a great job. I had to provide them with my original login info and the summoner name, and some other information. They reset the account, and I got it back relatively painlessly.

To be fair - "industry standard" is typically incredibly unnecessary and overwhelming, often locking users out of their own account because they can't wade through three levels of security.

But yeah, Riot could definitely step this up a bit. I just really don't want them turning into Apple and being all "Make a password with numbers and symbols and loweecase and capital letters and answer three pre-chosen questions about your personal life and give us your credit card info and birth date and mother's maiden name and three e-mail addresses JUST IN CASE but no you still can't log into your own account because you misplaced a semicolon."

I feel ashamed that I never realised this lack of account security until I read your post! Thanks for pointing this out and regarding all the popularity and success of LoL, Riot should definitely change and improve this issue soon.

Yep. I thought my brother was trustworthy and so I let him use my account sometimes. One day, he gets mad at me over something so minor and then decides to go onto my account; removes all my friends, trolls a ranked game, and then changes my email. So now I have to send a ticket to Riot support since he won't tell me a thing as if the account belongs to him now.